One Click to Compromise: Microsoft Copilot’s “Reprompt” Flaw Exposed

A new research report from Varonis Threat Labs has unveiled a vulnerability in Microsoft Copilot Personal that could have allowed attackers to steal sensitive data with a single mouse click. Dubbed “Reprompt,” this attack flow transforms a helpful AI assistant into a silent insider threat, bypassing enterprise security controls to exfiltrate data without the user ever realizing it.

The vulnerability, which has since been patched by Microsoft, highlights a growing class of risks where trusted AI tools are manipulated by external inputs.

Unlike traditional exploits that require complex malware or malicious plugins, Reprompt relies on the user simply clicking a link. According to the report, “Only a single click on a legitimate Microsoft link is required to compromise victims. No plugins, no user interaction with Copilot”.

Once the victim clicks the link, the attack is set in motion. The most alarming aspect of Reprompt is its persistence. The researchers discovered that “the attacker maintains control even when the Copilot chat is closed, allowing the victim’s session to be silently exfiltrated with no interaction beyond that first click”.

Security teams often rely on inspecting prompts to catch malicious activity, but Reprompt was designed to be undetectable by client-side tools. “All commands are delivered from the server after the initial prompt, making it impossible to determine what data is being exfiltrated just by inspecting the starting prompt,” the report explains.

This invisibility allows the attacker to ask highly intrusive questions, such as “Summarize all of the files that the user accessed today,” “Where does the user live?” or “What vacations does he have planned?”.

Because the attack leverages the AI’s trusted context, it “bypasses enterprise security controls entirely and accesses sensitive data without detection”.

Varonis warns that this discovery is not an isolated incident but a sign of things to come. “Reprompt represents a broader class of critical AI assistant vulnerabilities driven by external input”.

As AI assistants become deeply integrated into our digital lives, our trust in them becomes a liability. “As our research shows, trust can be easily exploited, and an AI assistant can turn into a data exfiltration weapon with a single click”.

Varonis advises vendors to “treat URL and external inputs as untrusted” and urges users to be cautious with links, even those that seem to come from legitimate sources.

Related Posts:

• Microsoft Unveils Enhanced Windows AI Features for “Copilot+ PC”
• New Attack on Microsoft 365 Copilot Steals Personal Data
• Mac Users Rejoice! Microsoft’s Copilot App Lands on the Mac App Store
• Copilot Is Coming to Your Living Room with New Samsung Smart TV Partnership
• Copilot Phishing: New Scam Targets Microsoft Users